The legal situation since July 1, 2025
Section 393 SGB V establishes, for the first time, a clear legal basis for using cloud services to process social and health data in Germany. It covers providers under SGB V — including physicians, dentists, psychotherapists, hospitals, and pharmacies — as well as statutory health and long-term care insurers and their respective processors. Anyone acting as a cloud provider that processes social or health data for this group must be able to produce a current C5 attestation.
Until June 30, 2025, a C5 Type 1 attestation was still considered sufficient. Since July 1, 2025, a C5 Type 2 attestation is required — proof that the security measures didn't just exist on a given date, but actually operated effectively over a longer audit period.
The Cloud Computing Compliance Criteria Catalogue (C5) is a BSI-developed criteria catalog with 125 audit criteria across 17 topic areas — from technical safeguards to physical security to organizational processes. A C5 attestation is issued by an independent auditing firm and confirms that a cloud service meets these minimum standards.
The mix-up: infrastructure attestation vs. service attestation
In our market scan of cloud software for medical and psychotherapy practices, one recurring pattern stood out: vendors advertise phrases like “our data is stored on C5-certified cloud services” or “stored in certified German data centers.” That sounds reassuring — but it doesn't answer the question Section 393 SGB V actually asks.
A C5 attestation can refer to two entirely different things: the infrastructure (the data center or hyperscaler a piece of software runs on), or the service itself (the actual application that processes, stores, and analyzes your patient or client data). Section 393 SGB V requires the attestation of the data-processing entity — not the attestation of its hosting provider.
A hyperscaler or data center operator can hold a flawless C5 Type 2 attestation — and the software running on top of it can still be entirely unaudited. Vulnerabilities, broken access controls, or weak tenant isolation at the application layer are not covered by an infrastructure-level attestation. That is precisely the layer Section 393 SGB V is meant to cover.
For more on the general C5 framework and its extension with sovereignty criteria, see our article on BSI C3A and the C5 standard.
Checklist: what to actually ask your software vendor
- 1Is there a C5 Type 2 attestation for our specific service — not just for the infrastructure underneath it?
- 2Who issued the attestation, and for what audit period is it valid?
- 3Can we review the attestation, or have its provision contractually guaranteed?
- 4What happens if the attestation expires before a new one is issued — is there a transition arrangement?
An evasive or unclear answer to the first question is, by itself, already an answer.
The alternative that sidesteps the attestation question entirely
There is one way to avoid the attestation discussion altogether: AI and practice software that runs locally, on premises, never sends data to a third-party cloud provider in the first place. There is no external service whose C5 attestation you would need to check — because there is no external service.
For small practices, this is achievable today without a dedicated server room or IT department: a single device, a normal office power outlet, no special infrastructure. We set up exactly that — see Local AI for Practices & Law Firms. Law firms operate under a separate legal basis (client confidentiality under Section 203 of the German Criminal Code rather than Section 393 SGB V) — but the same principle of local instead of cloud-based processing applies just as well.
Conclusion
Section 393 SGB V turned a formerly voluntary best practice into a concrete legal requirement — with a nuance that gets lost in a lot of vendor marketing copy: what counts is the attestation of the application, not the attestation of the data center underneath it. Keeping that distinction in mind the next time you read a software vendor's privacy page means asking the right question — and for those who'd rather not have to ask it at all, local instead of cloud-based software is often the more pragmatic path.
Frequently asked questions about Section 393 SGB V and the C5 attestation
What does Section 393 SGB V actually require?
Since July 1, 2025, Section 393 of SGB V (the German Social Code Book V) requires a current C5 Type 2 attestation whenever cloud computing is used to process social or health data on behalf of providers covered by SGB V — including physicians, dentists, psychotherapists, hospitals, pharmacies, and statutory health and long-term care insurers and their processors. The key point: the attestation must cover the data-processing entity itself, not just the infrastructure underneath it.
Is it enough if a software vendor advertises a "C5-certified data center"?
In our assessment, not necessarily. A C5 attestation for the hosting provider (data center, hyperscaler) confirms the security of the infrastructure — it says nothing about whether the application that actually processes your data has itself been audited. Section 393 SGB V explicitly targets the data-processing entity. When in doubt, ask the vendor directly whose attestation it actually is.
Does Section 393 SGB V apply to practices that bill exclusively privately?
That needs to be assessed case by case and isn’t something this article can answer in general terms — the provision addresses providers covered by SGB V. This article is not legal advice; if you’re unsure, an individual legal assessment is recommended.
What’s the difference between C5 Type 1 and Type 2?
A Type 1 attestation confirms that security measures were in place as of a specific date. A Type 2 attestation additionally demonstrates that those measures actually operated effectively over a longer audit period. Since July 1, 2025, a current Type 2 attestation is required within the scope of Section 393 SGB V — an expired Type 1 attestation no longer suffices.